4 Definition Logging, Monitoring (1) Logging The process of recording events at the time that they occur. Monitoring The analysis, assessment,, and review of data collected for the purpose of controlling the system's availability. Security Monitoring The analysis, assessment,, and review of audit trails and other data collected for the purpose of searching out system events that may constitute violations or attempted violations of system security SGRP Frühjahrsveranstaltung Definition Logging, Monitoring (2) Event A defined occurrence which could influence a system. Security Event An event that is relevant to the security of the system SGRP Frühjahrsveranstaltung SGRP Frühjahrsveranstaltung

5 Definition Logging, Monitoring (3) Logfile,, Log The physical container of timestamped events. Audit Trail A chronological record of system activities that is sufficient to enable the reconstruction, reviewing, and examination of the sequence of environments and activities surrounding or leading to an operation, a procedure, or an event in a transaction from its inception to final results SGRP Frühjahrsveranstaltung Definition Logging, Monitoring (4) Investigation Collecting information from and about computer systems. Forensics Collecting information from and about computer systems that is admissible in a court of law. (The terms "investigation" and "forensics" are often used synonymously) SGRP Frühjahrsveranstaltung SGRP Frühjahrsveranstaltung

9 Definition Incident Handling (CERT /CC) CSIRT A Computer Security Incident Response Team (CSIRT) is a service organization that is responsible for receiving, reviewing,, and responding to computer security incident reports and activity. CIRC, CIRT, IRC, IRT, SERT, SIRT Acronyms for incident response teams CERT, CERT/CC "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office CERT/CC The CERT Coordination Center (CERT/CC) is a center of Internet security expertise, located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. FIRST Forum of Incident Response Teams SGRP Frühjahrsveranstaltung Definition Incident Handling (CVE) Universal Vulnerability A universal vulnerability is a state in a computing system (or set of systems) which either: allows an attacker to execute commands as another user allows an attacker to access data that is contrary to the specified access restrictions for that data allows an attacker to pose as another entity allows an attacker to conduct a denial of service Exposure An exposure is a state in a computing system (or set of systems) which is not a universal vulnerability, but either: allows an attacker to conduct information gathering activities allows an attacker to hide activities includes a capability that behaves as expected, but can be easily compromised is a primary point of entry that an attacker may attempt to use to gain access to the system or data is considered a problem according to some reasonable security policy SGRP Frühjahrsveranstaltung SGRP Frühjahrsveranstaltung

16 Objectives What are you trying to achieve? Incident Response Additional layer of defence Logging & Forensics Patching problem SGRP Frühjahrsveranstaltung Objective Incident Response Incident response - the appropriate reaction to the detection of an incident, is mainly an organisational issue as opposed to technical. A timely, effective incident response requires 7x24 staffing by technically qualified personnel and also 7x24 availability of decision makers. Are you prepared to pay for this? SGRP Frühjahrsveranstaltung SGRP Frühjahrsveranstaltung

17 Objective Additional layer of defence Intrusion Detection Systems (IDS) are often described as providing an additional layer of defence. However you should be under no illusion that an IDS even implemented without budget restraints will detect ALL intrusions. i.e. will be 100% effective SGRP Frühjahrsveranstaltung Objective Logging & Forensics In certain circumstances effective logging may be the principal objective. This is advantageous because it supports such difficult areas as incident response, inventory. If the logging is intended to be usable in a court of law (implied by the term forensics) the task becomes significantly more difficult. Logging is a prerequisite for forensics SGRP Frühjahrsveranstaltung SGRP Frühjahrsveranstaltung

18 Objective Patching problem (1) Most of us agree that we would prefer to prevent an intrusion as opposed to responding to one. However nowadays we are obliged to live with buggy software, newly discovered vulnerabilities and frequent patches. The delay between discovery of a vulnerability and deployment of the patch is the Window of vulnerability, and if the patch is to be staged and tested this window is lengthy SGRP Frühjahrsveranstaltung Objective Patching problem (2) Vulnerability Discovered Vulnerability Published Patch Available Decision to Patch Test Patch Deploy Patch Using a signature based IDS it should be possible to shorten the window of vulnerability. The effectiveness of this approach depends on the quality of the Incident Response process. Vulnerability Vulnerability Signature Discovered Published Available & Deployed Decision to Patch Test Patch Deploy Patch SGRP Frühjahrsveranstaltung SGRP Frühjahrsveranstaltung

19 Location of Sensors (1) Network based: Network sensors rely on recognising signatures and simple sequences thereof, and are less appropriate when non-standard components or architectures are used. The positioning of the sensors in the network depends on the objectives, but a good starting point is behind the Internet firewall. Network sensors are bad at detecting internal attacks, and useless against attacks whose signatures are not known (analogy to virus scanners). The vendors provide regular signature updates SGRP Frühjahrsveranstaltung Location of Sensors (2) Network Sensors can tap the network or not. Tap Sensor Switch Sensor Switch SGRP Frühjahrsveranstaltung SGRP Frühjahrsveranstaltung

20 Location of Sensors (3) Host based IDS will generally include integrity checking of critical files and analysing logs for predefined events and sequences of events. This makes host based IDS potentially more powerful, but more difficult to deploy and use SGRP Frühjahrsveranstaltung Type of Sensor There are 3 main approaches: Integrity checking.. Files which should not change are checked at regular intervals against a cryptographic checksum. This can potentially detect unknown attacks. Knowledge based.. This involves looking for attack signatures and therefore cannot detect an unknown attack, but it is easier to update signatures than to patch a system. Behaviour based.. Artificial Intelligence or statistical systems which look for unusual behaviour by learning normal behaviour are (mostly) still in the laboratory SGRP Frühjahrsveranstaltung SGRP Frühjahrsveranstaltung

22 Automated Response If we are going to rely on your IDS to prevent attacks, it is not enough to detect attack signatures. The real and critical attack must be quickly distinguished from all the false alarms, and an appropriate response implemented very rapidly. An automated response (e.g. blocking certain source addresses) appears to be an attractive approach, but is vulnerable to denial of service. Active automated response (attacking the attacker) is generally considered unacceptable. Nonetheless, IPS is the new Buzzword! SGRP Frühjahrsveranstaltung Inventory! An out-of of-the box IDS will generate thousands of false alarms. Obviously the signature of a Windows vulnerability is not relevant to a Unix system. The real problem is more complicated and requires detailed information about the systems to be protected (Inventory) - e.g. type of software deployed with patch level - so that the significance of each event can be evaluated SGRP Frühjahrsveranstaltung SGRP Frühjahrsveranstaltung

23 Outsourcing (1) The Security Management sector is expected to show phenomenal growth over the next few years. The correlation (normalisation) and analysis of sensor output can arguably be outsourced more efficiently than performed in house. You will know the true cost! Your managed security vendor should provide a SLA which specifies (among other things) response times for various levels of alert SGRP Frühjahrsveranstaltung Outsourcing (2) Alerts must be prioritised, eg. Level 0 Level 1 Level 2 Level 3 Insufficient information (inventory?) Possible attack to which customer is vulnerable Possible attack customer is not vulnerable etc. However (unless you outsource the response which is not usual) your organisation will still have to make staff available 7x24 who are capable of making important decisions quickly SGRP Frühjahrsveranstaltung SGRP Frühjahrsveranstaltung

24 Tuning Tuning, Normalisation: As described above an out of the box IDS will generate thousands of false alarms. The tuning process must reduce this to a handful of serious alerts which then have to be analysed manually. This tuning process can be expected to take a few months. It would be naive to imagine that the tuning process will be perfect. It involves a tradeoff of False alarms against Missed intrusions (viz. Biometrics) SGRP Frühjahrsveranstaltung Summary Buying an IDS is only a small part of an effective defence.. Inventory, Tuning and Incident Response processes are major items. Doing it properly will be very expensive! An IDS with an effective incident response team does not replace properly configured firewalls, hardened servers, etc. Even a well deployed IDS will not detect (never mind prevent) 100% of attacks. This does not mean you should forget it! SGRP Frühjahrsveranstaltung SGRP Frühjahrsveranstaltung

p^db=`oj===pìééçêíáåñçêã~íáçå= Error: "Could not connect to the SQL Server Instance" or "Failed to open a connection to the database." When you attempt to launch ACT! by Sage or ACT by Sage Premium for

0 Corporate Digital Learning, How to Get It Right Learning Café Online Educa Berlin, 3 December 2015 Key Questions 1 1. 1. What is the unique proposition of digital learning? 2. 2. What is the right digital

p^db=`oj===pìééçêíáåñçêã~íáçå= How to Disable User Account Control (UAC) in Windows Vista You are attempting to install or uninstall ACT! when Windows does not allow you access to needed files or folders.

Exercise (Part II) Notes: The exercise is based on Microsoft Dynamics CRM Online. For all screenshots: Copyright Microsoft Corporation. The sign ## is you personal number to be used in all exercises. All

Delivering services in a user-focussed way - The new DFN-CERT Portal - 29th TF-CSIRT Meeting in Hamburg 25. January 2010 Marcus Pattloch (cert@dfn.de) How do we deal with the ever growing workload? 29th

Filing system designer FileDirector Version 2.5 Novelties FileDirector offers an easy way to design the filing system in WinClient. The filing system provides an Explorer-like structure in WinClient. The

How to develop and improve the functioning of the audit committee The Auditor s View May 22, 2013 Helmut Kerschbaumer KPMG Austria Audit Committees in Austria Introduced in 2008, applied since 2009 Audit

Name: AP Deutsch Sommerpaket 2014 The AP German exam is designed to test your language proficiency your ability to use the German language to speak, listen, read and write. All the grammar concepts and

Support Technologies based on Bi-Modal Network Analysis H. Agenda 1. Network analysis short introduction 2. Supporting the development of virtual organizations 3. Supporting the development of compentences

Version: 00; Status: E Seite: 1/6 This document is drawn to show the functions of the project portal developed by Ingenics AG. To use the portal enter the following URL in your Browser: https://projectportal.ingenics.de

Diss. ETH No. 12075 Group and Session Management for Collaborative Applications A dissertation submitted to the SWISS FEDERAL INSTITUTE OF TECHNOLOGY ZÜRICH for the degree of Doctor of Technical Seiences

This press release is approved for publication. Press Release Chemnitz, February 6 th, 2014 Customer-specific software for autonomous driving and driver assistance (ADAS) With the new product line Baselabs

Supplier Questionnaire Dear madam, dear sir, We would like to add your company to our list of suppliers. Our company serves the defence industry and fills orders for replacement parts, including orders

Inequality Utilitarian and Capabilities Perspectives (and what they may imply for public health) 1 Utilitarian Perspectives on Inequality 2 Inequalities matter most in terms of their impact onthelivesthatpeopleseektoliveandthethings,

Cambridge International Examinations Cambridge International General Certificate of Secondary Education GERMAN 0525/03 Paper 3 Speaking Role Play Card One For Examination from 2015 SPECIMEN ROLE PLAY Approx.

Diss. ETH No. 16589 Efficient Design Space Exploration for Embedded Systems A dissertation submitted to the SWISS FEDERAL INSTITUTE OF TECHNOLOGY ZURICH for the degree of Doctor of Sciences presented by

CABLE TESTER Manual DN-14003 Note: Please read and learn safety instructions before use or maintain the equipment This cable tester can t test any electrified product. 9V reduplicated battery is used in

Prediction Market, 28th July 2012 Information and Instructions S. 1 Welcome, and thanks for your participation Sensational prices are waiting for you 1000 Euro in amazon vouchers: The winner has the chance

Exercise (Part I) Notes: The exercise is based on Microsoft Dynamics CRM Online. For all screenshots: Copyright Microsoft Corporation. The sign ## is you personal number to be used in all exercises. All

Lexware Warenwirtschaft Pro XV1100K(C)/XV1100SK(C) All rights reserverd. Any reprinting or unauthorized use wihout the written permission of Lexware Warenwirtschaft Pro Corporation, is expressly prohibited.

Long-term archiving of medical data new certified cloud-based solution offers high security and legally approved data management The European Centre of Expertise for the Health Care Industry Langzeitarchivierung

Evaluation of schools in switzerland Challenges for the future between extern and intern evaluation Michael Frais Schulentwicklung in the Kanton Zürich between internal evaluation and external evaluation